Using Kirby in SPA: Disable default REST API endpoints


I’m planning to create a new website with a single-page application. While trying out Kirby API, I noticed that the current API endpoints don’t really serve the purpose of my SPA. It’s not a big deal, I can just create my own endpoints.

The idea is to have registered & logged-in users to be able to access the SPA. Let’s call them Basic Users. Registration, sign-in, and all basic user account activities will be carried out in the front-end, so they need not and should not access the panel. But to enable the API for the SPA, I need to allow panel access for them:


title: Basic User
default: true

# Basic user needs to access panel for the Rest API, but nothing else
    *: false
    panel: true
  pages: false
  files: false
  languages: false
  site: false
  user: false
  users: false

However, I’m a bit concerned. With the above permissions, a basic user

  • is still able to access the panel and see their own settings page. While the permissions seem to prevent the user from doing any harm, it’s a bit awkward.
  • can still send a GET request to /api/users and receive a list of all other users, effectively receiving a list of email addresses registered to the service, which of course is a big no.

I’m not sure if the latter one is a bug. But in any case, at this point, I’d rather hear if there is a way to disable the default endpoints completely for Basic users, or other ideas on how to reinforce the API security.

Come to think of it, I don’t see a reason not to develop a custom REST API altogether. But I’m not quite sure how to get the user object of the visitor (if the visitor using the API is logged in).

The following works when accessing directly from browser, but sending GET with correct csrf token results in “no user”, and I’m kicked out of panel in another browser tab.

Kirby::plugin('webapp/api', [
    'routes' => [
            'pattern' => 'webapp-api/test',
            'action'  => function()
                $user = kirby()->user(); // ?????
                $result = array();
                $result['user'] = $user ? $user->email() : 'no user';
                return $result;

Never mind, the previous code example works. I had a piece of code in the page controller which logged the user out. So it appears that one can make a fresh REST API by using routes, and therefore avoid giving a logged-in user panel access.

Thank you for coming to my TED talk.

You can also create custom “API endpoints” instead of the general routes: API | Kirby CMS

Those come with authentication enabled by default (you can disable authentication by setting "auth" to false)